DATA PROTECTION IS IMPORTANT TO US

Privacy Policy for www.info.lidl

Thank you for your interest in data protection at Lidl Stiftung & Co. KG (hereinafter "Lidl"). We at Lidl want you to feel comfortable and safe when you visit our website, and to know that one of the things that sets us apart is our commitment to protecting our customers' data.

The following data protection notice is designed to inform you about how and to what extent your personal data is processed when you visit the website www.info.lidl. Personal data is information that identifies you or could identify you directly or indirectly. The statutory basis for data protection is, in particular, the EU General Data Protection Regulation (GDPR).

I.    Overview

Data processing by Lidl Stiftung & Co. KG primarily starts when the website is accessed and thereafter. Various information is exchanged between your end device and our server. This may also involve personal data. The information collected in this way is used to optimize our website or, if you have given your consent to do so, to analyze your behavior on the website.

II.    Accessing our website

Purposes of the processing/legal bases:

When accessing our website, the browser used on your end device will – automatically and without any action on your part – send

  • the IP address of the accessing Internet-enabled device;
  • the date and time of access;
  • the name and URL of the requested file;
  • the website/application from which the access occurred (referrer URL);
  • the browser and, where relevant, the operating system of your Internet-enabled computer as well as the name of your access provider

to our website server and be stored temporarily in what is known as a log-file for the following purposes:

  • to ensure a fault-free connection;
  • to ensure the comfortable use of our website/application;
  • to analyze system security and stability.

The legal basis for the processing of the data listed is Article 6(1)(f) GDPR. The purposes of data processing listed above constitute our legitimate interest.

Recipients/categories of recipient:

In connection with the aforementioned processing, your data will also be processed on our behalf by processors in the IT hosting services sector. Such processors are carefully selected, audited by us and bound by contract in accordance with Article 28 GDPR.


 

Storage time/criteria for determining storage time:

Data will be stored for a period of seven days and automatically deleted thereafter.

III.    Use of cookies and other similar technologies to process usage data

Purposes of the processing/legal bases:

We, Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, are the controller with respect to data processing in connection with the use of "cookies" and other similar technologies to process usage data on all (sub-)domains at https://info.lidl.

Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie stores certain information that results in connection with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

Cookies and the other technologies used to process usage data are deployed for the following purposes, depending on the categories of cookie/other technologies:

  • Technically necessary: these are cookies and similar technologies without which you cannot use our services (e.g., for the correct display of our website/functions requested by you, etc.).
  • Preferences: using these methods, we can take into account your actual or perceived preferences to enhance the user experience. For example, we can use your settings to display our website in a language relevant to you.
  • Statistics: these technologies enable us to tailor the design of our services by producing anonymized statistics about how they are used. For example, we can use them to determine how better to adapt our website to user habits.

For an overview of the cookies and other technologies we use, including the respective purposes of processing, storage periods and any third party providers involved, see our cookie policy.

Depending on the purpose, the use of cookies and similar technologies to process usage data involves processing the following types of personal data in particular:

Technically necessary:

  • user inputs to store the user's consent status for the current domain (e.g., cookie consent);
  • security-related events (e.g., identifying repeat failed sign-in attempts);
  • data to play back multimedia content (e.g., playing (product) videos selected by you).

Preferences:

  • Settings to customize the user interface (e.g., selecting the preferred language);

Statistics:

  • Pseudonymized usage profiles containing information on the use of the website. These contain in particular:
    • browser type/browser version;
    • operating system used;
    • device used;
    • referrer URL (i.e., the previously visited page);
    • host name of the accessing computer (IP address);
    • time of the server request;
    • individual user ID; and
    • events triggered on the website (web browsing behavior).
  • The IP address is routinely anonymized, which in principle means it is no longer possible to identify you.

The legal basis for using preference and statistics cookies is your consent given pursuant to Article 6(1)(a) GDPR. The legal basis for using technically necessary cookies is Article 6(1)(f) GDPR because we have a legitimate interest in offering you a functional website.

You may withdraw/modify your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. Click hereto make your selection.

Recipients/categories of recipient:

When using cookies and similar technologies to process usage data, we may on occasion retain specialized service providers to process data. They process your data on our behalf as processors. Each has been carefully selected and bound by contract in accordance with Article 28 GDPR. All of the companies listed as service providers in our cookie policy act as processors on our behalf.

In the context of our cooperation with Google LLC, the aforementioned data is generally also processed for statistical purposes on servers located in the U.S.

Storage time/criteria for determining storage time:

For information on the duration of storage for cookies, see our cookie policy. If "persistent" is entered in the "expiration" column, the cookie will be stored permanently until the corresponding consent is withdrawn.

 

IV. Customer service

Purposes of the processing/legal bases:

We treat all personal data which you provide us with on the contact form, by telephone, e-mail or via social media (e.g., when you contact customer service) confidentially. We use your data solely for the limited purpose of processing your inquiry. The legal basis for the data processing is Article 6(1)(f) and Article 6(1)(b) GDPR. Our shared (legitimate) interest in this data processing arises from the objective of answering any inquiries and resolving any issues you may have and thus ensuring and improving your level of satisfaction as a customer or other user of our website.

If you participate in our customer survey, you do so on a purely voluntary basis. In conducting these anonymous surveys, no information is stored that can be used to identify respondents. Only the date and time of your participation will be stored. All personal data that you provide when responding to our survey will be regarded as provided voluntarily and stored in accordance with the GDPR. Please refrain from entering names or other information in the text fields that could be used to identify you or other persons. In the event that consent is given in the context of a customer survey, Article 6(1)(a) GDPR is the legal basis for any data processing carried out on the basis of such consent. Where you have given your consent in the context of a customer survey, you are entitled to withdraw that consent at any time with effect for the future. In this case, further details are governed in the specific privacy policies of the respective customer survey.

Recipients/categories of recipient:

When responding to your requests and in order to evaluate customer surveys, we will also have processors specializing in customer service and customer surveys process your data on our behalf. Such processors are carefully selected, audited by us and bound by contract in accordance with Article 28 GDPR.

Furthermore, it may be necessary for us to pass on excerpts of your inquiry to contractual partners (e.g., suppliers in the case of product-specific inquiries) for the purpose of processing your inquiry. In these cases your inquiry will be anonymized in advance, meaning that third parties will not be able to identify you. Should it be necessary to pass on your personal data in individual cases, we will notify you in advance and obtain your consent.

The results of our customer surveys are generally used for internal evaluation purposes only. We will not pass on your personal data to third parties unless you have given your express consent for this.

Storage time/criteria for determining storage time:

We delete or anonymize all personal data we receive from you when you make inquiries (positive/negative comments or suggestions) via the website or by e-mail no later than 90 days after the final response is sent. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject (see section VI below), your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met. The duration of storage for any personal data collected in the context of customer surveys will be notified in advance as part of the specific customer survey.

V. Data transfers to recipients in a third country

If we transfer data to recipients in a third country (located outside of the European Economic Area), this will be evident in the information on the recipients/categories of recipient in the description of the respective data processing. Some third countries have been certified by the European Commission through so-called adequacy decisions as having a level of data protection comparable to that offered in the European Economic Area. A list of these countries is available at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html. Where no comparable data protection standard exists in a given country, we take other measures to ensure that an adequate level of data protection is guaranteed by other means, such as binding corporate rules, the European Commission's standard contractual clauses on the protection of personal data, certificates or recognized codes of conduct. For further information, please contact our data protection officer (section 19).

VI. Rights of data subjects

In addition to the right to withdraw any consent you have granted to us, you have the following additional rights provided the respective statutory conditions are met: 

  • right of access to your personal data stored with us pursuant to Article 15 GDPR;
  • right to rectification of inaccurate personal data and the right to have incomplete personal data completed pursuant to Article 16 GDPR;
  • right to erasure of your personal data stored with us pursuant to Article 17 GDPR;
  • right to a restriction of processing of your data pursuant to Article 18 GDPR;
  • right to data portability pursuant to Article 20 GDPR;
  • right to object pursuant to Article 21 GDPR;

1.    Right of access pursuant to Article 15 GDPR

Pursuant to Article 15(1) of the GDPR, you have the right to request information, free of charge, on the personal data stored about you. This particularly includes:

  • the purposes for which personal data is being processed;
  • the categories of personal data that are being processed;
  • the recipients or categories of recipient to whom personal data concerning you has been or will be disclosed;
  • the planned duration of the storage of the personal data concerning you or, if it is not possible to give any specific details, the criteria used to determine the storage duration;
  • the existence of a right to rectification or erasure of the personal data concerning you, a right to request from the controller that processing be restricted or a right to object to this processing;
  • the right to lodge a complaint with a supervisory authority;
  • all available information regarding the origin of the data if the personal data is not being collected from the data subject;
  • the existence of any automated decision-making processes including profiling pursuant to Article 22(1) and (4) GDPR and – at least in these cases –meaningful information regarding the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

If personal data is transferred to a third country or an international organization, you have the right to be notified about appropriate safeguards pursuant Article 46 GDPR in connection with the transfer.

2.    Right to rectification pursuant to Article 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3.    Right to erasure pursuant to Article 17 GDPR

 You have the right to require us to erase any personal data concerning you without undue delay where one of the following grounds applies: 

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw your consent on which the processing pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR was based and there is no other legal ground for the processing;
  • you object to the processing pursuant to Article 21(1) or (2) GDPR, and in the case of Article 21(1) GDPR there are no overriding legitimate grounds for the processing;
  • the personal data was unlawfully processed;
  • the erasure of personal data is necessary in order to comply with a legal obligation;
  • the personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where we have made the personal data public and are obliged to erase it, taking account of available technology and the cost of implementation we will take reasonable steps to inform any third parties processing your data of the fact that you have requested the erasure by such third parties of any links to, or copies or replications of, such personal data.

 
4.    Right to restriction of processing pursuant to Article 18 GDPR

You have the right to require us to restrict the processing where one of the following applies:

  • you contest the accuracy of the personal data;
  • the processing is unlawful and you request the restriction of the use of the personal data rather than its erasure;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims or
  • you have objected to the processing pursuant to Article 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.

5.    Right to data portability pursuant to Article 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller without hindrance by us, where

  • the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR and
  • the processing is carried out by automated means.

In exercising your right to data portability you have the right to have the personal data transmitted directly from us to another controller where technically feasible.

6.    Right to object pursuant to Article 21 GDPR

Provided the requirements of Article 21(1) GDPR are met, you may object to the data processing on grounds relating to your particular situation.

The aforementioned general right to object applies to all processing grounds set out in this privacy policy, which are processed on the basis of Article 6(1)(f) GDPR. In contrast to the specific right to object regarding data processing for promotional purposes, we are only obliged to action such general right to object if you cite grounds of overriding importance, e.g. a possible risk to life or health. In addition you have the option to contact the supervisory authority responsible for Lidl Stiftung & Co. KG or the data protection officer of Lidl Stiftung & Co. KG (see section IV.4).

7.     Right to lodge a complaint with the data protection supervisory authority pursuant to Article 77 GDPR

You also have a right to lodge a complaint with the competent data protection supervisory authority at any time. In order to do this you can contact the data protection supervisory authority of the German Land where you have your place of residence or the authority of the Land of Baden-Württemberg as the Land where Lidl Stiftung & Co. KG is headquartered.


8.     Exercising your rights

Points of contact in the event of questions or in order to exercise your data protection rights

In order to exercise your rights in the processing of your data (data protection rights) please contact Lidl customer service:

https://www.lidl.de/contact

9.    Controller and data protection officer

This privacy policy applies to the processing of data by Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74167 Neckarsulm, Germany ("Controller") and for the website www.info.lidl.

You can contact the Controller at corporate.communications.international@lidl.com. For questions about data protection with respect to the operation of the website www.info.lidl , please contact the company data protection officer of Lidl Stiftung & Co. KG at the aforementioned address to the attention of the data protection officer or at datenschutz@lidl.com.